Open Source AI Agents Shouldn’t Be Unsupervised
Jaime is an open-source AI agent built and operated by First Line Software (FLS) since 2023. It runs live on firstlinesoftware.com and its full codebase is public at github.com/firstlinesoftware/fls-jaime. This article explains how Jaime is designed to be enterprise-safe: defined permission boundaries, controlled HubSpot lead routing with logged conversations, no community-contributed skill packages, and a single accountable owner of the full stack. Open source does not mean unsupervised.
Security is the number-one objection enterprise buyers raise about open-source AI agents — and in 2026, it stopped being hypothetical. The question leaders should ask of any open-source AI agent is not “can we read the code?” It is: “who is accountable for what this agent is allowed to do?”
What happened to open-source AI security in early 2026?
In late January 2026, Cisco’s AI Defense team scanned the most popular community-built add-on for a viral open-source AI agent. The scan surfaced nine security findings, including two critical issues. The add-on was functionally malware: it silently sent user data to servers controlled by its author and used hidden instructions to make the agent ignore its own safety rules. It had been installed thousands of times before detection.
In early February 2026, a follow-up audit by Koi Security identified 341 malicious add-ons in the same community registry. Broader research found that roughly one in four analyzed agent add-ons contained security flaws, including command injection and data exfiltration.
The incident changed how enterprise buyers evaluate open-source AI. “Is it open source?” is now followed immediately by a second question: “and who is accountable for it?”
Does this mean enterprises should avoid open-source AI?
No. The lesson is not to avoid open-source AI — it is to distinguish between two fundamentally different models:
Community-assembled agents. Anyone can publish extensions. There is no review gate. The attack surface grows with every download, and no single party is accountable for the whole system.
Vendor-operated open source. One team writes, reviews, and operates the code. The source is public and auditable, but the supply chain is closed. Accountability is unambiguous.
Open source tells you the code is inspectable. It does not tell you who answers for it. Jaime belongs to the second category.
How is Jaime designed to be enterprise-safe?
Jaime’s security posture rests on four design decisions:
Defined permission boundaries. Jaime operates within an explicit scope: it converses with website visitors, detects intent, surfaces content, and routes leads. It does not have open-ended system access. What the agent can do is defined in code — and because the code is public, that boundary is verifiable, not asserted.
Controlled lead routing with an audit trail. Jaime routes qualified visitors to HubSpot and triggers Slack and email notifications based on defined rules. Conversations are logged and traceable. When a lead lands in the CRM, there is a record of the conversation and the intent signals that put it there.
No community-contributed skill packages. Every component in the Jaime codebase was written and reviewed by First Line Software. There is no third-party extension registry, which means there is no registry to poison. The supply-chain attack vector that compromised community agent ecosystems in 2026 does not exist in Jaime’s architecture.
One owner of the full stack. FLS built Jaime, operates it in production on its own website, and maintains it across major versions. There is no ambiguity about who is responsible when the underlying model changes or a dependency shifts.
Why does open source make Jaime more secure, not less?
Because every security claim above is verifiable. The full codebase is public. Every component is readable, auditable, and modifiable. If your security or legal team needs to review what the agent does with visitor data, they can read the code — before any commercial conversation begins.
This is what transparency as trust means in practice. Most AI vendors explain what they build with decks and case studies. FLS publishes its code, because it is the only claim that can be verified.
“Publishing production code is a signal of confidence, not risk. We are certain enough in how we build to show it publicly.”
Vladimir Litoshenko
SVP, Global Business, First Line Software
What does Jaime’s production record show?
Jaime has run in continuous production on firstlinesoftware.com since 2023 — more than two years, across two major versions. Jaime 2.0 shipped in May 2025 with intent recognition, Smart Action Buttons, conversation history, and deeper CRM integrations, and the full codebase was open-sourced at the same time.
That record includes the events that typically break AI systems at month 12: a model deprecation, a regression caught before it reached users, and a major version upgrade completed without a platform rewrite. The commit history is the evidence.
How does this connect to Managed AI Services?
Jaime is the reference implementation for FLS Managed AI Services (MAIS®). FLS operates AI for clients the same way it operates Jaime: continuous evaluation, regression detection, cost monitoring, and version upgrades — inside defined permission boundaries, with audit trails.
For companies evaluating an AI agent for their own website, the open-source release is a deployable framework, not a demo. HubSpot, Slack, and email integrations are wired in. The modular architecture supports swapping LLMs and adding integrations without a rebuild. And your security team can inspect all of it first.
→ Learn about Managed AI Services
Frequently Asked Questions
Is open-source AI safe for enterprise use? Open-source AI is safe when the code has a single accountable owner, defined permission boundaries, and no unvetted third-party extensions. The 2026 security incidents affected community-assembled agents with open extension registries — a different model from vendor-operated open source like Jaime.
What is Jaime? Jaime is an open-source AI agent for enterprise websites, built and operated by First Line Software since 2023. It detects visitor intent, routes qualified leads to HubSpot, and responds in multiple languages, 24/7.
Does Jaime use community-contributed skill packages? No. Every component in the Jaime codebase was written and reviewed by First Line Software. There is no third-party extension registry.
How does Jaime handle visitor data? Jaime routes qualified leads to HubSpot and triggers notifications based on defined rules, with conversations logged and traceable. Because the codebase is public, security and legal teams can review exactly what the agent does with visitor data.
Can my security team audit Jaime before we deploy it? Yes. The full codebase is available at github.com/firstlinesoftware/fls-jaime. Every component is readable, auditable, and modifiable.
What is the difference between Jaime and community AI agents like the ones compromised in 2026? Community agents allow anyone to publish extensions, creating an open supply chain that attackers exploited at scale in early 2026. Jaime has a closed supply chain: one team writes, reviews, and operates all of the code, and the source is public for verification.
Is Jaime related to First Line Software’s Managed AI Services? Yes. Jaime is the MAIS® reference implementation. FLS builds, deploys, and operates AI agents for clients using the same practices it uses to run Jaime — continuous evaluation, regression detection, and controlled upgrades.
Last updated July 2026 · First Line Software
